more technically, from a mathematical pov there is likely some valid public key that has the same hash (as the hash is only 160 bits, vs 256 for the full key), but in practice it becomes unspendable since no one knows what that valid key is

DSidH, I'm actually not sure what's the safe and correct way to handle that. I'm returning "not a point" for both non points and the point at infinity, but it only means "error" depending on what the program is doing. for example in signature validation \ pubkey recovery, the r value is allowed to be an invalid x coordinate in some cases, like in the rec_r_big file I posted on gist. the sec1-v2 doc says when you should be failing and when

but yea since I can just feed you signatures where ( s = z/k ), there should be a safe way to handle that.. I'm failing with "Runtime error (func=invmod, adr=37): Divide by zero" which is not very nice :)